Improper access control allows the attacker to comment in internal commit...

Improper access control allows the attacker to comment in internal commit after they are no longer admin

Improper access control allows the attacker to comment in internal commit...
Improper access control allows the attacker to comment in internal commit after they are no longer admin
d40b7902 · Charlie Ablett · GitLab Release Tools Bot · 771f3fb9 · d40b7902 · d40b7902
Commit d40b7902 authored Oct 29, 2019 by Charlie Ablett Committed by GitLab Release Tools Bot Oct 29, 2019
3 changed files
--- a/app/policies/commit_policy.rb
+++ b/app/policies/commit_policy.rb
@@ -4,4 +4,5 @@ class CommitPolicy < BasePolicy
  delegate { @subject.project }

  rule { can?(:download_code) }.enable :read_commit
+  rule { ~can?(:read_commit) }.prevent :create_note
 end
--- a/changelogs/unreleased/security-65756-ex-admin-attacker-can-comment-in-internal.yml
+++ b/changelogs/unreleased/security-65756-ex-admin-attacker-can-comment-in-internal.yml
+---
+title: Disallow unprivileged users from commenting on private repository commits
+merge_request:
+author:
+type: security
--- a/spec/policies/commit_policy_spec.rb
+++ b/spec/policies/commit_policy_spec.rb
@@ -8,28 +8,42 @@ describe CommitPolicy do
    let(:commit) { project.repository.head_commit }
    let(:policy) { described_class.new(user, commit) }

+    shared_examples 'can read commit and create a note' do
+      it 'can read commit' do
+        expect(policy).to be_allowed(:read_commit)
+      end
+
+      it 'can create a note' do
+        expect(policy).to be_allowed(:create_note)
+      end
+    end
+
+    shared_examples 'cannot read commit nor create a note' do
+      it 'can not read commit' do
+        expect(policy).to be_disallowed(:read_commit)
+      end
+
+      it 'can not create a note' do
+        expect(policy).to be_disallowed(:create_note)
+      end
+    end
+
    context 'when project is public' do
      let(:project) { create(:project, :public, :repository) }

-      it 'can read commit and create a note' do
-        expect(policy).to be_allowed(:read_commit)
-      end
+      it_behaves_like 'can read commit and create a note'

      context 'when repository access level is private' do
        let(:project) { create(:project, :public, :repository, :repository_private) }

-        it 'can not read commit and create a note' do
-          expect(policy).to be_disallowed(:read_commit)
-        end
+        it_behaves_like 'cannot read commit nor create a note'

        context 'when the user is a project member' do
          before do
            project.add_developer(user)
          end

-          it 'can read commit and create a note' do
-            expect(policy).to be_allowed(:read_commit)
-          end
+          it_behaves_like 'can read commit and create a note'
        end
      end
    end
@@ -37,9 +51,7 @@ describe CommitPolicy do
    context 'when project is private' do
      let(:project) { create(:project, :private, :repository) }

-      it 'can not read commit and create a note' do
-        expect(policy).to be_disallowed(:read_commit)
-      end
+      it_behaves_like 'cannot read commit nor create a note'

      context 'when the user is a project member' do
        before do
@@ -50,6 +62,18 @@ describe CommitPolicy do
          expect(policy).to be_allowed(:read_commit)
        end
      end
+
+      context 'when the user is a guest' do
+        before do
+          project.add_guest(user)
+        end
+
+        it_behaves_like 'cannot read commit nor create a note'
+
+        it 'cannot download code' do
+          expect(policy).to be_disallowed(:download_code)
+        end
+      end
    end
  end
 end